In brief: Secure Boot was originally introduced with Windows 8 as a firmware-based security feature designed to protect the OS from potentially malicious boot code. After more than 15 years, the original Secure Boot certificates are being retired and replaced with newer ones.
Microsoft is reminding users that the Secure Boot ecosystem will soon require a mandatory check-up. The Redmond-backed security protocol, part of the UEFI specification and primarily used on Windows systems, will need new encryption certificates because the older ones are expiring over the next few months.
Nuno Costa, a program manager in Microsoft's Windows Servicing and Delivery division, explained that the original Secure Boot certificates are reaching the end of their lifecycle. Starting in June 2026, the old certificates will no longer be valid.
"As cryptographic security evolves, certificates and keys must be periodically refreshed to maintain strong protection. Retiring old certificates and introducing new ones is a standard industry practice that helps prevent aging credentials from becoming a weak point and keeps platforms aligned with modern security expectations," Costa wrote on the official Windows blog.
Microsoft delivered up-to-date certificates for Secure Boot in 2023, but the originals have been used to validate the boot process since Windows 8. Users and organizations can obtain the newer certificates from several trusted sources, including UEFI firmware updates for compatible motherboards.
Microsoft will also roll out the new certificates alongside its monthly bug fixes and security updates via Windows Update. Enterprise organizations can customize the update process using their preferred management tools. In any case, Microsoft describes the new certificates as one of the largest coordinated security maintenance efforts in the Windows ecosystem.
Redmond must cooperate with hardware manufacturers, OEMs, and other partners to upgrade the firmware on millions of individual Windows devices. Because Secure Boot operates at the firmware level and controls how a PC starts, the upgrade must be carefully coordinated to avoid widespread disruptions.
Windows Update can deliver the new certificates to Windows PCs that are still supported by Microsoft, including Windows 11 and Windows 10 systems enrolled in the Extended Security Updates program. Older PCs will be unable to install the new certificates, which could leave those devices less secure.
Costa noted that a device still using the 2011 certificates should continue to boot as expected. However, the PC will be in a "degraded" security state, which may prevent it from receiving future firmware-level protections. Dell provides instructions for checking whether newer Secure Boot certificates are available on a system.
"As new boot-level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware or Secure Boot – dependent software may fail to load," Costa said.
PCs that don't use Secure Boot are likely to operate normally. Over the years, Secure Boot has been affected by several significant security issues, including the infamous PKfail vulnerability. However, Secure Boot is increasingly becoming a requirement for online games and MOBAs, leaving users on Linux or older, capable gaming systems at a disadvantage.